Abstract: The main objective of this study is to assess corporate governance disclosures in the annual reports of South Africa’s national government departments. The main finding is that national government departments do not widely adhere to sound corporate governance practices, as recommended by the King III Report on Corporate Governance, and are required by the Public Finance Management Act, and the South African Treasury Regulations. The critical areas that were poorly disclosed by national government departments include the information which indicates whether the strategic internal audit plan was based on the key areas of risk facing the department, and whether this plan had taken into account the department’s risk management strategy. Further, it was not clear whether departments had Chief Risk Officers, or a directorate for risk management, to drive the risk management programme.

The study does note, however, that there are some national government departments that have demonstrated compliance with the spirit of good corporate governance by disclosing the required information in their annual reports. Stemming from this, the study recommends that those government departments which are compliant with the required corporate governance disclosures share their corporate governance disclosure practices with their counterparts in interdepartmental meetings. A further recommendation stemming from the findings is that those employees who are responsible for preparing the annual reports in each national government department should conduct a benchmarking exercise against other departments’ annual reports, to assist them to identify and understand any shortcomings in their annual reports.

Addressing emerging risks in transborder cloud computing and the protection of personal information : the role of internal auditors

Abstract: There is general consensus amongst researchers that most South African companies are not yet ready to comply with the Protection of Personal Information Act No. 4 of 2013 (the POPI Act) as they lack the necessary skills, knowledge and understanding to effect such compliance. Whilst the flow of personal information to trans border clouds is lawful according to section 72 of the POPI Act, and cloud services offer benefits such as cost savings and agility, it has been determined that companies are yet to take cognisance of the fact that there are risks associated with such transfers. Five preeminent emerging risks associated with cloud data storage include data location, security, privacy, legal compliance and the cloud service providers themselves. Because of their role as assurance providers, with knowledge about organisational strategy,processes and operations, internal auditors are found to be uniquely positioned within companies to assist effectively with risk management as required by The Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and the corporate governance standards presented in King III. Internal auditors have been shown to be able to assist in mitigating each of the five emerging risks through their effective auditing of contracts, policies, procedures and controls, which ultimately results in effective advice and assurance for boards, management and stakeholders.

Abstract: The increase in the number of company failures, and in the occurrence of corporate fines and lawsuits due to noncompliance with statutes and regulations, has been attributed to inadequate or failed governance, risk, and compliance (GRC) processes. The purpose of this study is to explore internal audit’s role in embedding GRC processes in state-owned companies. Internal auditors were found to be actively involved in assisting their organisations in embedding GRC processes, and in improving their GRC maturity through spearheading and coordinating the implementation of combined assurance protocols. In this regard internal auditors were found to be most effective when they have buy-in from top management.

Mitigating strategies for sampling risks to enhance the reliability of the internal audit opinion

Author: L.A. Smidt , D.P. Van der Nest , G.P. Coetzee and D.S. Lubbe

Affiliations: 1 Tshwane University of Technology, 2 Tshwane University of Technology, 3 Tshwane University of Technology and 4 University of the Free State

Abstract: This article explores the mitigating strategies for risks associated with the use of sampling techniques that are implemented by internal audit functions in the banking sector of South Africa. Risks associated with audit sampling techniques may adversely impact the reliability of the internal audit opinion, which is used by various stakeholders when performing their decision-making duties. The research results indicate that respondents mostly implement in-house mitigating strategies to minimise the risks relating to the calculation of the samplesize, the application of the sampling selection method and the evaluation of the sample results. External mitigating strategies are implemented to a lesser extent, and this situation should be explored by the respective respondents.

The performance audit : are there differences in the planning approach and practices followed within the South African public sector?

Author: E. Gildenhuis and M. Roos

Affiliations: 1 University of Pretoria and 2 University of Stellenbosch

Abstract: The importance of a formal, documented approach and methodology as part of the audit process is well recognised. In South Africa, only a few national departments have dedicated performance audit sections with in the Internal Audit Function (IAF), and limited performance audits are being conducted. The limited execution of performance audits and the lack of information on performance audit methodologies adopted within the public sector by IAFs prompted this research. The research objective was to identify the differences in the performance audit planning practices followed by internal auditors within the South African public sector, as well as the reasons behind these differences, by critically comparing the performance audit methodologies within the IAFs in selected national departments with the methodology followed by the AGSA. The results indicated that, although differences do exist between the performance audit planning practices of these institutions and those of the AGSA, numerous similarities also exist. Research on the different planning activities prescribed by the methodologies adopted by national departments and the AGSA provides valuable information that may contribute to the growth of the performance audit discipline in the public sector and could enable the performance audit process itself to become more effective and efficient. It is recommended that national departments and the AGSA consider these differences and the rationale behind these differences when compiling or updating their performance audit methodology.

Abstract: The purpose of this paper is to explore the completeness and quality of audit reports as perceived by internal audit’s primary customer – the audit committee.

Data was collected using a structured questionnaire that was sent to audit committee chairpersons of banks registered with the South African Reserve Bank. Respondents were asked to provide their perceptions of the quality of the internal audit reports they routinely received.
The results highlight that not all internal audit functions present clear and appropriately focused reports. Whilst the audit committee chairpersons recognise that the internal audit reports do have value, there is also significant potential for improvement.

Perspectives of chief audit executives on the implementation of combined assurance

Abstract: This article explores the status of current combined assurance practices as experienced by the chief audit executives (CAEs) of listed companies in the financial services industry in South Africa. The study aims to determine the status of combined assurance, to identify critical success factors for the implementation of combined assurance, to determine the role of internal audit in the implementation of combined assurance, and to identify limiting factors that may hamper the success of the combined assurance process as described in the literature and experienced by the chief audit executives (CAEs) of the companies surveyed.

The results of the study indicate that combined assurance implementation is seen as a journey, and that organisations are still at various levels of maturity in the implementation process. Organisations struggling with full implementation identified the following as limiting factors : a lack of buy-in from executive management; immature second line of defence functions; different regulatory environments, and the lack of a combined assurance champion. Key foundational areas identified as requisite for successful implementation related to appointing a combined assurance champion and an executive sponsor, mature first and second line of defence functions, formal statements of roles and responsibilities of assurance providers, and buy-in and active participation from the audit committee chairperson.